CN106131066B - A kind of authentication method and device - Google Patents

A kind of authentication method and device Download PDF

Info

Publication number
CN106131066B
CN106131066B CN201610734459.3A CN201610734459A CN106131066B CN 106131066 B CN106131066 B CN 106131066B CN 201610734459 A CN201610734459 A CN 201610734459A CN 106131066 B CN106131066 B CN 106131066B
Authority
CN
China
Prior art keywords
target
terminal user
target terminal
mac
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610734459.3A
Other languages
Chinese (zh)
Other versions
CN106131066A (en
Inventor
郑敏
杨小朋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201610734459.3A priority Critical patent/CN106131066B/en
Publication of CN106131066A publication Critical patent/CN106131066A/en
Application granted granted Critical
Publication of CN106131066B publication Critical patent/CN106131066B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Abstract

The present invention provides a kind of authentication method and device, which comprises when the media access control MAC for target terminal user for receiving convergence switch transmission authenticates trigger request, to target terminal user progress MAC certification;It is completed when being authenticated to target terminal user MAC, and receive convergence switch transmission target terminal user MAC Address and target terminal user belonging to destination virtual local area network VLAN when, according to the corresponding relationship of the port of target VLAN and pre-stored VLAN and access switch, the target port for determining the target port of the target access switch of target terminal user access, and controlling target access switch reopens after closing;When receive again convergence switch transmission the MAC Address for carrying target terminal user MAC authenticate trigger request, and determine target terminal user MAC Address authenticated by when, allow target terminal user carry out network access.The applicability of certificate scheme can be improved using the embodiment of the present invention.

Description

A kind of authentication method and device
Technical field
The present invention relates to network communication technology field more particularly to a kind of authentication method and devices.
Background technique
MAC (Media Access Control, media access control)+Portal (portal) authentication mode be it is current more A kind of popular authentication mode, main realization principle are as follows:
When (having new MAC Address online) when user terminal is online for the first time, MAC is triggered on access switch and is recognized Card, controller are that user terminal distributes guest (visitor) VLAN (Virtual Local Area Network, a virtual office Domain net), and return to the URL (Uniform Resoure Locator: uniform resource locator) of the Portal page;User terminal DHCP (Dynamic Host Configuration Protocol, dynamic host configuration protocol) is initiated in guest VLAN Guest IP (Internet Protocol, Internet protocol) address is obtained, after user terminal gets guest IP address, It can be redirected to the Portal page, carry out username and password certification;After certification passes through, controller completes MAC Address+user The binding of name+password, and control and connect the port of the user terminal on access switch and carry out down (closing), then UP again (unlatching);Access switch port is again after UP, and the certification of the MAC Address of meeting retriggered user terminal, user terminal is again Apply for new IP address, and can normally surf the Internet.
However practice is found, in above-mentioned certificate scheme, authentication points need to complete in access switch in access switch Certification, still, there are many different models, the access switch of some models to support for access switch at present Certificate scheme is stated, the application in turn resulting in above-mentioned certificate scheme has greater limitations.
Summary of the invention
The present invention provides a kind of authentication method and device, is being connect with solving authentication points in existing MAC+portal certificate scheme Entering in the implementation on interchanger may cause scheme using office due to the model or function restriction of part access switch Sex-limited larger problem.
According to a first aspect of the embodiments of the present invention, a kind of authentication method is provided, controller is applied to, this method comprises:
When the media access control MAC for target terminal user for receiving convergence switch transmission authenticates trigger request When, MAC certification is carried out to the target terminal user;
It is completed when being authenticated to the target terminal user MAC, and receives the target that the convergence switch is sent Belonging to the MAC Address of user terminal and the target terminal user when destination virtual local area network VLAN, according to the target The corresponding relationship of the port of VLAN and pre-stored VLAN and access switch determines the target of target terminal user access The target port of access switch, and reopened after controlling the target port closing of the target access switch;
As the MAC for receiving the MAC Address for carrying the target terminal user that the convergence switch is sent again Authenticate trigger request, and determine the MAC Address of the target terminal user authenticated by when, allow the target terminal user Carry out network access.
According to a second aspect of the embodiments of the present invention, a kind of authentication method is provided, convergence switch, the method are applied to Include:
When detecting that target terminal user is online for the first time, media access control MAC certification triggering is sent to controller and is asked It asks, the IP address of the convergence switch is carried in MAC certification trigger request, on the convergence switch described in connection The MAC Address of the port numbers of target terminal user and the target terminal user;
When the target terminal user MAC, which is authenticated, to be completed, by the MAC Address of the target terminal user and the mesh Destination virtual local area network VLAN belonging to mark user terminal is sent to the controller, so that the controller is according to the target The corresponding relationship of the port of VLAN and pre-stored VLAN and access switch determines the target terminal user access The target port of target access switch, and reopened after controlling the target port closing of the target access switch;
When detecting that the target terminal user is online again, is sent to the controller carry the target use again The MAC of the MAC Address of family terminal authenticates trigger request, so that the controller determines the MAC Address of the target terminal user It has authenticated after passing through, the target terminal user is allowed to carry out network access.
According to a third aspect of the embodiments of the present invention, a kind of authentication device is provided, controller is applied to, comprising:
Receiving unit, the media access control MAC for target terminal user for receiving convergence switch transmission recognize Demonstrate,prove trigger request;
Authentication unit, for carrying out MAC certification to the target terminal user;
Determination unit, for completing when the authentication unit authenticates the target terminal user MAC, and the reception is single Member receives belonging to MAC Address and the target terminal user for the target terminal user that the convergence switch is sent Destination virtual local area network VLAN when, according to the port of the target VLAN and pre-stored VLAN and access switch Corresponding relationship determines the target port of the target access switch of target terminal user access;
Control unit, the target port for controlling the target access switch reopen after closing.
Processing unit is also used to when the receiving unit carrying of receiving that the convergence switch sends again is described The MAC of the MAC Address of target terminal user authenticates trigger request, and the authentication unit determines the target terminal user MAC Address authenticated by when, allow the target terminal user to carry out network access.
According to a fourth aspect of the embodiments of the present invention, a kind of authentication device is provided, convergence switch is applied to, comprising:
Detection unit, it is online for detecting user terminal;
Transmission unit, for being sent to controller when the detection unit detects that target terminal user is online for the first time Media access control MAC authenticates trigger request, the IP of the convergence switch is carried in the MAC certification trigger request The port numbers of the target terminal user and the MAC Address of the target terminal user are connected on location, the convergence switch;
The transmission unit is also used to when the target terminal user MAC authenticates completion, by the target terminal user MAC Address and the target terminal user belonging to destination virtual local area network VLAN be sent to the controller so that institute Controller is stated according to the corresponding relationship of the port of the target VLAN and pre-stored VLAN and access switch, determines institute The target port of the target access switch of target terminal user access is stated, and controls the target side of the target access switch Mouth reopens after closing;
The transmission unit is also used to when the detection unit detects that the target terminal user is online again, then It is secondary that the MAC certification trigger request for carrying the MAC Address of the target terminal user is sent to the controller, so that the control After device determines that the MAC Address of the target terminal user has authenticated and passes through, the target terminal user is allowed to carry out network access.
Using the embodiment of the present invention, by presetting and storing the mapping relations of access switch port and VLAN, when When target terminal user MAC certification is completed, convergence switch will be belonging to the MAC Address of target terminal user and target terminal user VLAN be sent to controller, determine what target terminal user was accessed as controller VLAN according to belonging to target terminal user Target port on target access switch, and control the target port and carry out down, then UP again;When convergence switch is examined Measure target terminal user it is online again when, again to controller send carry target terminal user MAC Address MAC certification Trigger request, so that after controller determines that the MAC Address of target terminal user has authenticated and passes through, by the data of target terminal user Flow is mapped to the corresponding business VXLAN of MAC Address of target terminal user, compared with existing MAC+portal certificate scheme, Convergence switch is moved on on authentication points, not by access switch model or function restriction, improves the applicability of scheme.
Detailed description of the invention
Fig. 1 is a kind of flow diagram of authentication method provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of another authentication method provided in an embodiment of the present invention;
Fig. 3 is a kind of configuration diagram of concrete application scene provided in an embodiment of the present invention;
Fig. 4 is a kind of structural schematic diagram of authentication device provided in an embodiment of the present invention;
Fig. 5 is a kind of structural schematic diagram of authentication device provided in an embodiment of the present invention.
Specific embodiment
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention real The above objects, features, and advantages for applying example can be more obvious and easy to understand, with reference to the accompanying drawing to technical side in the embodiment of the present invention Case is described in further detail.
Referring to Figure 1, Fig. 1 is a kind of flow diagram of authentication method provided in an embodiment of the present invention, wherein the certification Method can be applied to convergence switch, as shown in Figure 1, the authentication method may comprise steps of:
It should be noted that in embodiments of the present invention, step 101~step 103 executing subject can be handed over for convergence It changes planes or the processor of convergence switch, such as CPU (Center Process Unit, central processing unit), for ease of description, It is illustrated so that step 101~step 103 executing subject is convergence switch as an example below.
Step 101, when detecting that target terminal user is online for the first time, to controller send MAC authenticate trigger request, should Carried in MAC certification trigger request the IP address of convergence switch, on convergence switch linking objective user terminal port Number and target terminal user MAC Address.
In the embodiment of the present invention, target terminal user and the user terminal for being not specific to a certain fixation, but may refer to appoint One user terminal authenticated, the embodiment of the present invention is subsequent no longer to be repeated.
In the embodiment of the present invention, it is contemplated that in existing MAC+Portal certificate scheme authentication points on access switch, and The quantity of access switch is more in existing networking, may there is the access switch of many different models or function, without It is different with support situation of the access switch of model or function to authentication function, cause authentication management difficulty larger, thus, In the present invention is implemented, authentication points can be arranged on convergence switch, moves up certification control, the progress more concentrated Control management reduces authentication management difficulty not by access switch model or function effect.
Correspondingly, in embodiments of the present invention, when convergence switch detects that target terminal user is online for the first time, convergence Interchanger can be by the port numbers and target terminal user of linking objective user terminal on the IP address of itself, convergence switch MAC Address carry MAC certification trigger request in be sent to controller, with trigger controller to target terminal user carry out MAC certification.
It is worth noting that user terminal can access network (in the situation by access switch in practical networking Under, the port numbers of linking objective user terminal are accessed by convergence switch and target terminal user on convergence switch access The port numbers of interchanger connection), alternatively, user terminal can also be by directly accessing network (in the feelings by convergence switch Under condition, the port numbers of convergence switch linking objective user terminal are the port that convergence switch is connect with target terminal user Number), in embodiments of the present invention, if non-specified otherwise, MAC authenticates linking objective on the convergence switch carried in trigger request The port numbers of user terminal refer to the port numbers that convergence switch is connect with the access switch that target terminal user is accessed.
In the embodiment of the present invention, when controller receives the MAC certification trigger request of convergence switch transmission, need to mesh It marks user terminal and carries out MAC certification, specific implementation may refer to the associated description in method flow shown in Fig. 2, and the present invention is real Applying example, this will not be repeated here.
Step 102, when target terminal user MAC authenticate complete when, the MAC Address of target terminal user and target are used Destination virtual local area network VLAN belonging to the terminal of family is sent to controller, so that controller is deposited according to target VLAN and in advance The corresponding relationship of the port of the VLAN and access switch of storage determines the mesh of the target access switch of target terminal user access The target port marked port, and control target access switch reopens after closing.
In the embodiment of the present invention, in order to enable the controller to port position of the positioning user terminal on access switch, Corresponding VLAN can be set for each port of access switch in advance, and by access switch port number pass corresponding with VLAN System is stored in controller or gateway system.
Correspondingly, in embodiments of the present invention, when target terminal user MAC, which is authenticated, to be completed, convergence switch can be obtained It takes VLAN belonging to target terminal user (referred to herein as target VLAN), and by the MAC Address of target terminal user and is somebody's turn to do Target VLAN is sent to controller.
Wherein, controller receives the MAC Address and target VLAN of the target terminal user of convergence switch transmission When, the corresponding relationship of pre-stored VLAN Yu access switch port number can be inquired according to target VLAN, determine the mesh Marking the corresponding access switch of VLAN, (access that referred to herein as target access switch, i.e. target terminal user are accessed is handed over Change planes) port (referred to herein as target port, i.e., the port of linking objective user terminal on target access switch).
Controller determines that target terminal user after the target port on target access switch, can pass through MIB (Management Information Base, management information bank) or other control protocols control the port, when controller determines When passing through to the certification of the MAC Address of target terminal user, controller can control the target side on the target access switch Mouth Down, removes associated objects user terminal to control target access switch, then, then controls on the target access switch Target port UP again, so that target terminal user is again online.
Step 103, when detecting that target terminal user is online again, again to controller transmission carry target user The MAC of the MAC Address of terminal authenticates trigger request, passes through so that controller determines that the MAC Address of target terminal user has authenticated Afterwards, target terminal user is allowed to carry out network access.
In the embodiment of the present invention, when convergence switch detects that target terminal user is online again, convergence switch can The MAC certification trigger request for carrying the MAC Address of target terminal user is sent to controller again;Controller receives this After MAC authenticates trigger request, judge that the MAC Address of the target terminal user carried in MAC certification trigger request has authenticated Pass through, the target terminal user is allowed to carry out network access.
Specifically, controller can connect the target accessed according to the MAC Address of target terminal user, target terminal user The data traffic of target terminal user is mapped to target and used by the target port and the corresponding VLAN of target port for entering interchanger (Virtual Extensible Local Area Network, can virtually expand the corresponding business VXLAN of the MAC Address of family terminal Open up local area network), that is, the source MAC for allowing the target port to enter is the MAC Address of the target terminal user, and is carried VLAN ID be the corresponding VLAN ID of the target port data traffic pass through in business VXLAN, avoid target from using Family terminal carries out being required to carry out portal certification when network access every time.
Wherein, in embodiments of the present invention, corresponding business VXLAN can be distributed for each MAC Address in advance, thus, when Controller determine the MAC Address of target terminal user authenticated by when, can be looked into according to the MAC Address of the target terminal user The corresponding relationship of MAC Address and business VXLAN is ask, and then determines the corresponding business VXLAN of MAC Address of target terminal user.
In the embodiment of the present invention, again online (the target port Down i.e. on target access switch of target terminal user Again UP afterwards) when, target terminal user can re-start DHCP application in business VXLAN, after getting new IP address, User can normally surf the Internet.
Fig. 2 is referred to, for the flow diagram of another authentication method provided in an embodiment of the present invention, wherein the certification Method can be applied to controller, as shown in Fig. 2, the authentication method may comprise steps of:
It should be noted that in embodiments of the present invention, step 201~step 203 executing subject can be controller Or the processor of controller, such as CPU, for ease of description, being using step 201~step 203 executing subject as controller below Example is illustrated.
Step 201, when receive convergence switch transmission for target terminal user MAC certification trigger request when, MAC certification is carried out to target terminal user.
In the embodiment of the present invention, when convergence switch detects that target terminal user is online for the first time, convergence switch can With by the MAC of the port numbers and target terminal user of linking objective user terminal on the IP address of itself, convergence switch Location, which is carried, is sent to controller in MAC certification trigger request, carries out MAC certification to target terminal user with trigger controller.
It is right when the MAC for target terminal user that controller receives convergence switch transmission authenticates trigger request The target terminal user carries out MAC certification.
In the embodiment of the present invention, controller carries out MAC certification to target terminal user, may include:
Target terminal user is redirected to portal page face, and receives target terminal user and is mentioned by the portal page face The username and password of friendship;
When the username and password certification submitted according to the target terminal user by the portal page face passes through, confirmation The MAC address authentication of the target terminal user passes through, and generates the MAC Address of target terminal user, username and password three Binding relationship.
Specifically, in embodiments of the present invention, controller receives the MAC certification trigger request of convergence switch transmission When, a guest VXLAN can be distributed for target terminal user, so that target terminal user is sent out in the guest VXLAN DHCP request is played, to obtain guest IP address;In addition, controller also needs to return to portal page face to target terminal user URL, so as to which portal page face can be redirected to after target terminal user gets guest IP address.
Target terminal user is redirected to after portal page face, and user can input user in the portal page face Name and password are to be authenticated.
If controller passes through the username and password certification that target terminal user is submitted by the portal page face, control Device processed can consider that the MAC certification of target terminal user passes through, and generate MAC Address+user name+password of target terminal user Binding relationship.
Step 202 is completed when to target terminal user MAC certification, and receives the target user of convergence switch transmission When target VLAN belonging to the MAC Address and target terminal user of terminal, according to target VLAN and pre-stored The corresponding relationship of the port of VLAN and access switch determines the target side of the target access switch of target terminal user access Mouthful, and reopened after controlling the target port closing of the target access switch.
In the embodiment of the present invention, after controller passes through target terminal user MAC certification, it can be sent to convergence switch Notification message.
Convergence switch determine target terminal user MAC certification pass through after, can by the MAC Address of target terminal user with And VLAN belonging to target terminal user (referred to herein as target VLAN) information is sent to controller.
Controller receives belonging to MAC Address and the target terminal user of the target terminal user of convergence switch transmission Target VLAN when, controller can inquire pre-stored VLAN and access according to the target VLAN belonging to target terminal user The corresponding relationship of switch port, to determine the corresponding access switch of target VLAN (referred to herein as target access switch) Port (referred to herein as target port), that is, determine the port of access switch that target terminal user is accessed.
Port (the i.e. mesh of target access switch for the access switch that the target terminal user that controller has been determined is accessed Mark port) after, it can control the target port down for first controlling the target access switch, target access switch made to go to close Join target terminal user, so that target terminal user will be in down status;Then, controller can control target access again and hand over The target port changed planes UP again, thus, target terminal user will be again online.
After target terminal user is again online, MAC certification will be carried out again;Convergence switch detects target terminal user Again after online, it can be sent again to controller and carry the MAC of the MAC Address of target terminal user and authenticate trigger request, MAC certification is carried out again to target terminal user with trigger controller.
Step 203, when receive again convergence switch transmission the MAC Address for carrying target terminal user MAC Authenticate trigger request, and determine target terminal user MAC Address authenticated by when, allow target terminal user carry out network Access.
In the embodiment of the present invention, when what controller again received convergence switch transmission carries target terminal user When the MAC of MAC Address authenticates trigger request, controller can first judge whether the MAC Address of the target terminal user has been recognized Card passes through;Pass through if the MAC Address of the target terminal user has authenticated, does not need to carry out recognizing for username and password again Card.
As an alternative embodiment, controller can inquire itself dimension according to the MAC Address of target terminal user MAC Address, user name and the binding relationship of password three of shield are bound with the MAC Address of target terminal user if it exists Username and password, it is determined that the MAC Address of target terminal user, which has authenticated, to be passed through.
It, can be according to mesh after controller determines that the MAC Address of target terminal user has authenticated and passes through in the embodiment of the present invention The MAC Address of mark user terminal inquires the corresponding relationship of pre-stored MAC Address Yu business VXLAN, to determine target user The corresponding business VXLAN of the MAC Address of terminal, and the mesh accessed according to the MAC Address of target terminal user, target terminal user The data traffic of target terminal user is mapped to mesh by the target port and the corresponding VLAN of target port of mark access switch Mark user terminal the corresponding business VXLAN of MAC Address (Virtual Extensible Local Area Network, virtually Expansible local area network), that is, the source MAC for allowing the target port to enter is the MAC Address of the target terminal user, and The VLAN ID of carrying is that the data traffic of the corresponding VLAN ID of the target port passes through in business VXLAN, avoids mesh Mark user terminal carries out being required to carry out portal certification when network access every time.
In the embodiment of the present invention, again online (the target port Down i.e. on target access switch of target terminal user Again UP afterwards) when, target terminal user can re-start DHCP application in business VXLAN, after getting new IP address, User can normally surf the Internet.
It is worth noting that in embodiments of the present invention, although passing through access in above method process with user terminal The side for being described for the scene of interchanger access network, but being authenticated in the embodiment of the present invention by convergence switch Case is not limited to the scene, i.e. user terminal is directly accessed by convergence switch in the scene of network, can also pass through convergence Interchanger is authenticated, and in this scenario, when controller control port down/UP, the port of control is to connect on convergence switch The port of user terminal is connect, other realizations are similar with the realization in above method process, and the embodiment of the present invention is not done superfluous herein It states.
In order to make those skilled in the art more fully understand technical solution provided in an embodiment of the present invention, below with reference to specific Application scenarios are illustrated technical solution provided in an embodiment of the present invention.
Fig. 3 is referred to, is a kind of configuration diagram of concrete application scene provided in an embodiment of the present invention, as shown in figure 3, It include controller, convergence switch, access switch and user terminal in the networking, and the whole net of the networking supports VXLAN Wherein, user terminal can access network by access switch to Overlay (a kind of stateless network technology), can also be direct Network is accessed by convergence switch.
Based on the application scenarios, the detailed process that the user terminal B1 for accessing network by access switch is authenticated It can be such that
0, one VLAN is set for the port of each access switch, and access switch port number is corresponding with VLAN Relationship is stored in controller or gateway system;Corresponding business VXLAN is distributed for each MAC Address, and in controller or gateway The corresponding relationship of MAC Address and business VXLAN is stored in system;
1, user terminal B1 is online for the first time, and convergence switch detects that user terminal B1 is online, by the IP of convergence switch The port numbers of user terminal B1 are connected on address, convergence switch and the MAC Address of user terminal B1 is reported to controller, by Controller records corresponding table and (may include the IP address of convergence switch in each list item, connects user on convergence switch The port numbers of terminal and the MAC Address of user terminal);
2, controller issues guest VXLAN to user terminal B1, and the data traffic of user terminal B1 is mapped to guest VXLAN, and to user terminal B1 return portal page face URL;
3, user terminal B1 initiates DHCP request in guest VXLAN and obtains guest IP address;
4, user terminal B1 is redirected to portal page face after getting guest IP address, inputs user name by user + password is authenticated;When controller determine user terminal B1 when user name+cipher authentication that portal page face is submitted passes through, Generate MAC Address+user name+password binding relationship of user terminal B1;
5, after convergence switch determines that the MAC certification of user terminal B1 passes through, by the MAC Address of user terminal B1 and VLAN belonging to user terminal B1 is sent to controller;Controller VLAN according to belonging to user terminal B1, inquiry are stored in advance Access switch port and VLAN corresponding relationship, determine the access switch that user terminal B1 is accessed port (assuming that For port B1);Controller can control the port by MIB or other controller protocols and authenticate in user terminal B1 by laggard Row down, then UP again;
6, port B1 again after UP can retriggered certification, after convergence switch detects that user terminal B1 is online again, The MAC Address of user terminal B1 is sent to controller, controller judges that the MAC Address of user terminal B1 has passed through certification, then Do not need user terminal B1 submits username and password to be authenticated again, and in turn, controller can be according to user terminal B1's The user data traffic of user terminal B1 is mapped to user terminal B1 by MAC Address, port B1 and the corresponding VLAN of port B1 Corresponding business VXLAN;
7, user terminal B1 initiates DHCP request in corresponding business VXLAN, to obtain new IP address, and is getting It can normally surf the Internet after new IP address.
Through above description as can be seen that in technical solution provided in an embodiment of the present invention, by presetting and depositing The mapping relations for storing up access switch port and VLAN, when target terminal user MAC, which is authenticated, to be completed, convergence switch is by target VLAN belonging to the MAC Address and target terminal user of user terminal is sent to controller, by controller according to target user's end VLAN belonging to end determines the target port on the target access switch that target terminal user is accessed, and controls the target side Mouthful down is carried out, then UP again;When convergence switch detects that target terminal user is online again, sent out again to controller The MAC certification trigger request for carrying the MAC Address of target terminal user is sent, so that controller determines the MAC of target terminal user Address has authenticated pass through after, the corresponding industry of the MAC Address that the data traffic of target terminal user is mapped to target terminal user Business VXLAN moves on to convergence switch compared with existing MAC+portal certificate scheme on authentication points, not by access switch type Number or function restriction, improve the applicability of scheme.
Fig. 4 is referred to, is a kind of structural schematic diagram of authentication device provided in an embodiment of the present invention, wherein described device It can be applied to the controller in above method embodiment, as shown in figure 4, the authentication device may include:
Receiving unit 410, for receiving the media access control MAC for target terminal user of convergence switch transmission Authenticate trigger request;
Authentication unit 420, for carrying out MAC certification to the target terminal user;
Determination unit 430, for being completed when the authentication unit 420 authenticates the target terminal user MAC, and it is described Receiving unit 410 receives the MAC Address for the target terminal user that the convergence switch is sent and the target is used Belonging to the terminal of family when destination virtual local area network VLAN, exchanged according to the target VLAN and pre-stored VLAN with access The corresponding relationship of the port of machine determines the target port of the target access switch of target terminal user access;
Control unit 440, the target port for controlling the target access switch reopen after closing.
Processing unit 450 is also used to receive the carrying that the convergence switch is sent again when the receiving unit 410 There is the MAC certification trigger request of the MAC Address of the target terminal user, and the authentication unit 420 determines that the target is used The MAC Address of family terminal authenticated by when, allow the target terminal user to carry out network access.
In an alternative embodiment, the authentication unit 420, specifically for the target terminal user to be redirected to Portal page face, and receive the target terminal user and pass through the username and password that the portal page face is submitted;Work as basis When the username and password certification that the target terminal user is submitted by the portal page face passes through, confirm that the target is used The MAC address authentication of family terminal passes through, and generates the binding pass of the MAC Address of target terminal user, username and password three System.
In an alternative embodiment, the authentication unit 420, specifically for as the MAC according to the target terminal user Location, when inquiring the username and password with the binding of the MAC Address of the target terminal, with determining the MAC of the target terminal Location, which has authenticated, to be passed through.
In an alternative embodiment, the port numbers that the target terminal user is connected on the convergence switch are the convergence The port numbers that interchanger is connect with the target access switch that the target terminal user is accessed.
Fig. 5 is referred to, is a kind of structural schematic diagram of authentication device provided in an embodiment of the present invention, wherein described device It can be applied to the convergence switch in above method embodiment, as shown in figure 5, the authentication device may include:
Detection unit 510, it is online for detecting user terminal;
Transmission unit 520, for when the detection unit 510 detects that target terminal user is online for the first time, to control Device sends media access control MAC and authenticates trigger request, carries the convergence switch in the MAC certification trigger request The port numbers of the target terminal user and the MAC of the target terminal user are connected in IP address, the convergence switch Address;
The transmission unit 520 is also used to when the target terminal user MAC authenticates completion, by the target user Destination virtual local area network VLAN belonging to the MAC Address of terminal and the target terminal user is sent to the controller, with Make the controller according to the corresponding relationship of the port of the target VLAN and pre-stored VLAN and access switch, really The target port of the target access switch of the fixed target terminal user access, and control the mesh of the target access switch It is reopened after mark port shutdown;
The transmission unit 520 is also used to when the detection unit detects that the target terminal user is online again, The MAC certification trigger request for carrying the MAC Address of the target terminal user is sent to the controller again, so that the control After device processed determines that the MAC Address of the target terminal user has authenticated and passes through, the target terminal user is allowed to carry out network visit It asks.
In an alternative embodiment, the port numbers that the target terminal user is connected on the convergence switch are the convergence The port numbers that interchanger is connect with the target access switch that the target terminal user is accessed.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize the present invention program.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
As seen from the above-described embodiment, by presetting and storing the mapping relations of access switch port and VLAN, when When target terminal user MAC certification is completed, convergence switch will be belonging to the MAC Address of target terminal user and target terminal user VLAN be sent to controller, determine what target terminal user was accessed as controller VLAN according to belonging to target terminal user Target port on target access switch, and control the target port and carry out down, then UP again;When convergence switch is examined Measure target terminal user it is online again when, again to controller send carry target terminal user MAC Address MAC certification Trigger request, so that after controller determines that the MAC Address of target terminal user has authenticated and passes through, by the data of target terminal user Flow is mapped to the corresponding business VXLAN of MAC Address of target terminal user, compared with existing MAC+portal certificate scheme, Convergence switch is moved on on authentication points, not by access switch model or function restriction, improves the applicability of scheme.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its Its embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following Claim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.

Claims (12)

1. a kind of authentication method is applied to controller, which is characterized in that the described method includes:
When the media access control MAC for target terminal user for receiving convergence switch transmission authenticates trigger request, MAC certification is carried out to the target terminal user;The MAC certification trigger request is with carrying the IP of the convergence switch The port numbers of the target terminal user and the MAC Address of the target terminal user are connected on location, the convergence switch;
It is completed when being authenticated to the target terminal user MAC, and receives the target user that the convergence switch is sent Belonging to the MAC Address of terminal and the target terminal user when destination virtual local area network VLAN, according to the target VLAN And the corresponding relationship of the port of pre-stored VLAN and access switch, determine the target access of target terminal user access The target port of interchanger, and reopened after controlling the target port closing of the target access switch;
When the MAC certification for receiving the MAC Address for carrying the target terminal user that the convergence switch is sent again Trigger request, and determine the MAC Address of the target terminal user authenticated by when, allow the target terminal user to carry out Network access.
2. the method according to claim 1, wherein described carry out MAC certification to target terminal user, comprising:
The target terminal user is redirected to portal page face, and receives the target terminal user and passes through the portal The username and password that the page is submitted;
When the username and password certification submitted according to the target terminal user by the portal page face passes through, confirmation The MAC address authentication of the target terminal user passes through, and generates the MAC Address of target terminal user, username and password three The binding relationship of person.
3. according to the method described in claim 2, it is characterized in that, the MAC Address of the determination target terminal user Certification passes through, comprising:
When the MAC Address according to the target terminal user, the user name with the binding of the MAC Address of the target terminal is inquired When with password, determines that the MAC Address of the target terminal has authenticated and pass through.
4. the method according to claim 1, wherein connecting the target terminal user on the convergence switch The port numbers that are connect by the convergence switch with the target access switch that the target terminal user accesses of port numbers.
5. a kind of authentication method is applied to convergence switch, which is characterized in that the described method includes:
When detecting that target terminal user is online for the first time, media access control MAC is sent to controller and authenticates trigger request, institute It states and carries the IP address of the convergence switch in MAC certification trigger request, connect the target on the convergence switch The MAC Address of the port numbers of user terminal and the target terminal user;
When the target terminal user MAC, which is authenticated, to be completed, the MAC Address of the target terminal user and the target are used Destination virtual local area network VLAN belonging to the terminal of family is sent to the controller, so that the controller is according to the target VLAN And the corresponding relationship of the port of pre-stored VLAN and access switch, determine the target of the target terminal user access The target port of access switch, and reopened after controlling the target port closing of the target access switch;
When detecting that the target terminal user is online again, is sent to the controller carry target user's end again The MAC of the MAC Address at end authenticates trigger request, so that the controller determines that the MAC Address of the target terminal user has been recognized After card passes through, the target terminal user is allowed to carry out network access.
6. according to the method described in claim 5, it is characterized in that, connecting the target terminal user on the convergence switch The port numbers that are connect by the convergence switch with the target access switch that the target terminal user accesses of port numbers.
7. a kind of authentication device is applied to controller characterized by comprising
Receiving unit, for receiving the media access control MAC certification touching for target terminal user of convergence switch transmission Hair request;
Authentication unit, for carrying out MAC certification to the target terminal user;
Determination unit, for completing when the authentication unit authenticates the target terminal user MAC, and the receiving unit connects Receive the target terminal user that the convergence switch is sent MAC Address and the target terminal user belonging to mesh It is corresponding with the port of access switch according to the target VLAN and pre-stored VLAN when marking virtual LAN VLAN Relationship determines the target port of the target access switch of target terminal user access;
Control unit, the target port for controlling the target access switch reopen after closing;
Processing unit is also used to carry the target when what the receiving unit received that the convergence switch sends again The MAC of the MAC Address of user terminal authenticates trigger request, and the authentication unit is with determining the MAC of the target terminal user Location authenticated by when, allow the target terminal user to carry out network access.
8. device according to claim 7, which is characterized in that
The authentication unit specifically for the target terminal user is redirected to portal page face, and receives the target User terminal passes through the username and password that the portal page face is submitted;It is described when being passed through according to the target terminal user When the username and password certification that portal page face is submitted passes through, confirm that the MAC address authentication of the target terminal user passes through, And generate the binding relationship of the MAC Address of target terminal user, username and password three.
9. device according to claim 8, which is characterized in that
The authentication unit, specifically for inquiring and the target terminal when the MAC Address according to the target terminal user MAC Address binding username and password when, determine that the MAC Address of the target terminal has authenticated and pass through.
10. device according to claim 7, which is characterized in that it is whole to connect the target user on the convergence switch The port that the port numbers at end are connect by the convergence switch with the target access switch that the target terminal user accesses Number.
11. a kind of authentication device is applied to convergence switch characterized by comprising
Detection unit, it is online for detecting user terminal;
Transmission unit, for sending media to controller when the detection unit detects that target terminal user is online for the first time Access control MAC authenticates trigger request, and IP address, the institute of the convergence switch are carried in the MAC certification trigger request State the MAC Address of the port numbers that the target terminal user is connected on convergence switch and the target terminal user;
The transmission unit is also used to when the target terminal user MAC authenticates completion, by the target terminal user Destination virtual local area network VLAN belonging to MAC Address and the target terminal user is sent to the controller, so that described Controller according to the corresponding relationship of the port of the target VLAN and pre-stored VLAN and access switch, determine described in The target port of the target access switch of target terminal user access, and control the target port of the target access switch It is reopened after closing;
The transmission unit is also used to when the detection unit detects that the target terminal user is online again, again to The controller sends the MAC certification trigger request for carrying the MAC Address of the target terminal user, so that the controller is true The MAC Address of the fixed target terminal user has authenticated pass through after, allow the target terminal user to carry out network access.
12. device according to claim 11, which is characterized in that it is whole to connect the target user on the convergence switch The port that the port numbers at end are connect by the convergence switch with the target access switch that the target terminal user accesses Number.
CN201610734459.3A 2016-08-26 2016-08-26 A kind of authentication method and device Active CN106131066B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610734459.3A CN106131066B (en) 2016-08-26 2016-08-26 A kind of authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610734459.3A CN106131066B (en) 2016-08-26 2016-08-26 A kind of authentication method and device

Publications (2)

Publication Number Publication Date
CN106131066A CN106131066A (en) 2016-11-16
CN106131066B true CN106131066B (en) 2019-09-17

Family

ID=57274537

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610734459.3A Active CN106131066B (en) 2016-08-26 2016-08-26 A kind of authentication method and device

Country Status (1)

Country Link
CN (1) CN106131066B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453409B (en) * 2016-11-28 2019-12-10 迈普通信技术股份有限公司 Message processing method and access device
CN107360077A (en) * 2017-06-14 2017-11-17 上海斐讯数据通信技术有限公司 VLANID distribution methods and VLAN implementation methods, cloud controller and WAP
CN107493297B (en) * 2017-09-08 2020-11-27 安徽皖通邮电股份有限公司 VxLAN tunnel access authentication method
CN109327462B (en) * 2018-11-14 2020-10-27 盛科网络(苏州)有限公司 MAC address authentication method based on L2VPN network
CN109617972B (en) * 2018-12-17 2021-11-26 新华三技术有限公司 Connection establishing method and device, electronic equipment and storage medium
CN110602130B (en) * 2019-09-24 2021-10-08 中盈优创资讯科技有限公司 Terminal authentication system and method, equipment terminal and authentication server

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008034357A1 (en) * 2006-09-20 2008-03-27 Huawei Technologies Co., Ltd. Method and system for capwap intradomain authentication using 802.11r
CN101252587A (en) * 2008-04-18 2008-08-27 杭州华三通信技术有限公司 User terminal access right identifying method and apparatus
CN101980496A (en) * 2010-10-13 2011-02-23 华为数字技术有限公司 Message processing method and system, exchange board and access server equipment
CN102255918A (en) * 2011-08-22 2011-11-23 神州数码网络(北京)有限公司 DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method
CN102447710A (en) * 2012-01-17 2012-05-09 神州数码网络(北京)有限公司 Method and system for controlling access right of user
CN102572830A (en) * 2012-01-19 2012-07-11 华为技术有限公司 Method and customer premise equipment (CPE) for terminal access authentication
CN102571811A (en) * 2012-02-09 2012-07-11 神州数码网络(北京)有限公司 User access authority control system and method thereof
CN103476023A (en) * 2013-09-11 2013-12-25 福建星网锐捷网络有限公司 Configuration method of access point equipment, access controller and communication system
CN104283858A (en) * 2013-07-09 2015-01-14 华为技术有限公司 Method, device and system for controlling user terminal access

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070071016A1 (en) * 2005-09-29 2007-03-29 Avaya Technology Corp. Communicating station-originated data to a target access point via a distribution system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008034357A1 (en) * 2006-09-20 2008-03-27 Huawei Technologies Co., Ltd. Method and system for capwap intradomain authentication using 802.11r
CN101252587A (en) * 2008-04-18 2008-08-27 杭州华三通信技术有限公司 User terminal access right identifying method and apparatus
CN101980496A (en) * 2010-10-13 2011-02-23 华为数字技术有限公司 Message processing method and system, exchange board and access server equipment
CN102255918A (en) * 2011-08-22 2011-11-23 神州数码网络(北京)有限公司 DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method
CN102447710A (en) * 2012-01-17 2012-05-09 神州数码网络(北京)有限公司 Method and system for controlling access right of user
CN102572830A (en) * 2012-01-19 2012-07-11 华为技术有限公司 Method and customer premise equipment (CPE) for terminal access authentication
CN102571811A (en) * 2012-02-09 2012-07-11 神州数码网络(北京)有限公司 User access authority control system and method thereof
CN104283858A (en) * 2013-07-09 2015-01-14 华为技术有限公司 Method, device and system for controlling user terminal access
CN103476023A (en) * 2013-09-11 2013-12-25 福建星网锐捷网络有限公司 Configuration method of access point equipment, access controller and communication system

Also Published As

Publication number Publication date
CN106131066A (en) 2016-11-16

Similar Documents

Publication Publication Date Title
CN106131066B (en) A kind of authentication method and device
CN104506510B (en) Method and device for equipment authentication and authentication service system
US20140230044A1 (en) Method and Related Apparatus for Authenticating Access of Virtual Private Cloud
CN105516171B (en) Portal keep-alive system and method, Verification System and method based on authentication service cluster
CN105228126B (en) A kind of method and system of network access point trustship
CN106656911A (en) Portal authentication method, access device and management server
JP5925737B2 (en) Wireless LAN system
US10645580B2 (en) Binding an authenticated user with a wireless device
CN104468619B (en) A kind of method and authentication gateway for realizing double stack web authentications
CN105592180B (en) A kind of method and apparatus of Portal certification
CN103997479B (en) A kind of asymmetric services IP Proxy Methods and equipment
US8769623B2 (en) Grouping multiple network addresses of a subscriber into a single communication session
CN107734046A (en) Method, service end, client and the system of remote operation database
CN106330386B (en) A kind of transport layer parameters method of adjustment and device
KR102359070B1 (en) A portal aggregation service that maps subcarrier device identifiers to portal addresses to which access and authentication requests are redirected and facilitates mass subscriber device setup.
CN109379339A (en) A kind of portal authentication method and device
CN109067788A (en) A kind of method and device of access authentication
WO2021114874A1 (en) Data processing method and computer-readable storage medium
CN106209750A (en) A kind of network allocation method, server, network access equipment and system
CN104168564A (en) Authentication method and device based on GPRS network and integrated identification network
WO2016112656A1 (en) Service processing method and device
CN108259420B (en) Message processing method and device
CN106330894B (en) SAVI proxy authentication system and method based on link-local address
TW201517654A (en) Transmission path control system
CN108259454A (en) A kind of portal authentication method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant